Coping With HIPAA Rules DelayBreach Notification a Top Concern for Organizations
"Without that final rules, you pretty much feel as though you're in limbo," Myrold says.
The privacy officer at Hennepin County Medical Center in Minneapolis recently testified before a Senate committee considering healthcare information privacy and security issues (see: HIPAA Updates: What's the Hold Up?). At that hearing, Leon Rodriguez, the new director of the Department of Health and Human Services' Office for Civil Rights, declined to say when an omnibus package of regulations containing the two rules would be released. But in a recent speech, he indicated regulators were "hurrying up" their efforts to issue the regulations, which were mandated under the HITECH Act and are long overdue (see: Permanent HIPAA Audit Program Coming).
Because the rules have been further delayed, healthcare organizations have "just missed another budget cycle" to make the case for more employees or more applications to help with compliance, Myrold says in an interview with HealthcareInfoSecurity's Howard Anderson (transcript below).
"I think credibility kind of gets lost when it takes longer," Myrold says. "If it's not important to issue the final rule, then organizations might start thinking, 'Well, it's not important for us to implement that then either.'"
In the interview, Myrold also says:
- Federal regulators should issue much more detailed HIPAA compliance guidance, including model policies and procedures;
- Hennepin County Medical Center has beefed up its agreements with business associates in light of the high number of breaches across the nation that have involved vendors. For example, the hospital requires business associates to strictly limit who has access to patient data as well as provide evidence of the results of an audit of their security procedures.
- The hospital has made widespread use of thin client computing to limit the amount of information stored on mobile and other devices and help minimize risk.
Myrold is responsible for managing the information privacy and security office at Hennepin County Medical Center and for providing advice, guidance and training to management and staff on all privacy-related matters. She previously served as chief deputy county attorney for the Carver County Attorney's Office.
HIPAA Rules Delay
HOWARD ANDERSON: At a recent Congressional hearing, you expressed frustration about the delay in issuing the long pending omnibus package of regulations that includes, among other things, the HIPAA modifications and the final version of the HIPAA breach notification rule. How is that delay affecting you in your role as a privacy officer, and how do you think it's affecting HIPAA compliance overall?
KARI MYROLD: With regard to healthcare organizations and the implementation of HIPAA, the sooner the final rules come out, the better place we will be in order to implement and enforce them throughout our own organizations. ... A delay in the rules results in a delay of implementation by organizations. Without that final rule, you pretty much feel as though you're in limbo. You're wondering, "Do we spend resources on this or do we wait and see what happens? How much is going to change in a final rule?"
Currently as it exists, we have missed another budget cycle if we were to request additional employees or software applications that might indeed help us come into further compliance or implement the rules. I think what you end up doing is developing processes on a temporary basis. ... For the breach notification rule, many organizations are using different types of matrices to try to determine whether or not there was harm done or the level of harm. And I think one of the questions being discussed - and hopefully will come out in the final rule - is whether or not we move forward with this determination of what level of harm was done, or if we just end up putting [out] notifications every time we have a breach. ...
I think credibility kind of gets lost when it takes longer. If it's not important to issue the final rule, then organizations might start thinking, "Well, it's not important for us to implement that then either."
Detailed Guidance Sought
ANDERSON: You also call on federal authorities to issue detailed guidance on a number of issues. What guidance would you like to see issued, and how would it be helpful?
MYROLD: There were a number of areas indicated in my testimony; all of these affect consistencies in applying these rules throughout organizations. One of them that I certainly would like to see is policies and procedures. I think if more guidance would have been put out initially with regard to the types of policies, or model policies even, you'd see a lot more consistency throughout organizations. I know that when OCR does do an investigation with an organization, one of the main things they look at is, "I'd like to see your policies on this area or this area," and they've certainly been instructional in giving advice ... which has been very helpful. But it just kind of goes to show you that there's inconsistency throughout, and so model policies would have been a really good help in the very beginning.
Of course, business associates [regulatory requirements] are another area where we're waiting for in the final [HIPAA modifications] rule and implementing in that area. For the data breach rule, I've already talked about the matrix, the level of harm and what consistency, through subjective or objective criteria, organizations are using in that area. Then accounting of disclosures is another one where, although they've reduced the time-reporting period at least initially in the temporary rules from six years to three years, they're including a much broader perspective as far as looking for disclosures [in the patient access report provision] ... and I don't really think that's the type of information that patients are looking for.
Then, one other area that's of interest to us is waiting for final [HIPAA] rules on fundraising and marketing issues. Hennepin County Medical Center has a fairly new foundation that was established a few years ago, and there are rules that we're waiting for before we actually finalize some of the things that we're doing in that regard as well.
Business Associate Requirements
ANDERSON: In your written testimony you noted that your medical center has stiff privacy requirements for its business associates. Can you please walk us through some of those requirements and why you believe they're necessary?
MYROLD: There has been a high incidence of breaches that involve vendors, and so one of the things that we have been looking at the last year or so is beefing up our business associate agreement. We do require our business associates to sign a contract and attach to that contract a business associate agreement. We also do require privacy training of our vendors depending on whether or not they will be accessing through a virtual environment ... electronic records or what their services actually might be for us as a business associate. But we require them in our business associate agreement to state the type of PHI - protected health information - that they will be accessing and we then limit that access by the amount of data or the type of individual that they might want to access, and then state for us exactly what purposes they're going to be using that for. So we're really trying to limit down the amount and the use of that data.
Then we also ask them for a proof of compliance with security requirements, basically a recent assessment that they might have gone through with a third party or internally some type of an audit that shows us that their security systems are functioning and working.
ANDERSON: In your testimony you also lamented that too many organizations are not making widespread use of encryption, which has led to a lot of the breaches. Can you describe how your organization is using encryption and why you took those steps?
MYROLD: Like for most organizations, encryption is a large expense, and I think that what happens is it becomes a process. You might encrypt your e-mail and your laptops or any other mobile devices [and then] your desktops. It's still not a requirement through HIPAA, but obviously if you have it, it provides a higher level of protection. At some point, it makes good business sense because of the nature of the data that you're using within the healthcare industry.
A number of organizations still aren't using encryption, maybe because it hasn't been a real requirement, and also due to the cost of implementing, which is probably why it becomes more of a process and you do it in stages. But it requires additional IT focus, maybe more personnel, certainly more applications, and then selecting a vendor that you're going to have doing that for you. We definitely encrypt because we want to safeguard the nature of the data that we're using.
ANDERSON: Can you tell us a little bit about the status of your use of encryption then?
MYROLD: We're in a process where we're currently encrypting all of our e-mail and making it consistent with another organization that we're integrating with. Then employees can bring mobile devices to our IT department to have them encrypted, and then desktops will be a final result for us, probably in 2012. ...
ANDERSON: What's your policy now on permitting the storage of patient information on mobile devices? Are you using a thin client-type of approach for access to information, or do you allow storage on a variety of devices?
MYROLD: We actually have moved to the thin-client process and then if we have vendors or others who work remotely from a different location, what we do is we have the virtual environment where they log onto Citrix, and in some cases it actually takes up to four separate log-ins to actually get to the electronic health record. What we are finding is rather than encrypting devices and having people download a lot of information, this works much better and obviously it's a lot safer then having people carry around that type of data on a mobile device.